What is the best way to connect our Windows 2008 SBS with another Windows 2008 Enterprise Server at a Branch Office?

Posted on 2011-09-29
Last Modified: 2012-05-12
Good evening.

We have our main server which is a Windows 2008 SBS and is our Domain Controller. We'd like to connect our Branch Office which has a Windows 2008 Enterprise server as a read-only active directory setup.

Is this possible with out current server OS setup? We are using LogMeIn Hamachi as a VPN solution. Any advice will be greatly appreciated!

Question by:Poly11
  • 2
  • 2
LVL 77

Expert Comment

by:Rob Williams
ID: 36818452
Hamachi can be used but it is not the most stable VPN solution and uses dynamic IP addressing for the tunnel creation. I would recomend using two VPN routers which start at about $150 for a unit like a Netgear FVS318 or Linksys/Cisco RV042.

You mention the remote server is a read only DC? Is it a member of the SBS domain? If so you are already connected. If a member of another domain you cannot create a trust with the SBS. Perhaps if you could provide more details.

Author Comment

ID: 36891615
Hi RobWill.

Thanks for the quick response. The remote server is a member of the SBS domain, at least it was before it was relocated to the branch office. I have opened the LDAP port on the firewall to allow the incoming and outgoing traffic, but I am still receiving NETLOGON errors in the event log of the remote server. The following is the error:

This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

I can't open the Active Director Users and Groups because it says the server is not operational. I have also opened the LDAP port n the firewall for the branch office. Are there other ports that should be opened?

I will try and convince the powers that be that a VPN hardware solution is recommended, however they love Hamachi because of it's ease of use and central management capability. We have the paid version of LogMeIn Central which gives us use of Hamachi. I haven't noticed any IP addresses change over the past year.

Could you please let me know if it's possible to get both domain controllers remotely connected with what we have? Thanks again.
LVL 77

Accepted Solution

Rob Williams earned 500 total points
ID: 36892325
-A VPN should allow all traffic, so that shouldn't be an issue.
-The remote site must use a different subnet, does it?
-Because it is a different subnet some windows services may not work. The default configuration in the Windows firewall for some services is to only allow access from the local subnet. To test this I would disable the Windows firewalls. If that resolves the problem we can proceed from there.
-I suspect though the issue is the routing. The remote server must see the SBS as its ONLY DNS server. Can the remote server ping the SBS? If not you may need to add static routes. If so this is why you need a pair of VPN routers. The static route would point to the Hamachi IP as the gateway. Hamachi assigns dynamic IP's so this is always changing, though you say you haven't seen any changes.
-Once the remote server can access the SBS you need to add the remote site and subnet in Active Directory sites and services, but I think the routing is the primary concern.

Let me know if the firwwall makes a difference and if you can ping the SBS. If not I can supply routes to add.
Again the remote server can point only to the SBS, do not add local or ISP's DNS servers to the NIC configuration, they can be added as forwarders.

Expert Comment

ID: 36906538
I have found Hamachi doesn't consistently work for network to network traffic.  The best way I have seen is firewall to firewall, (point to point) setups.  Then the two can act as the router and gateways to route traffic through the right subnets.  Most of them also won't allow you to use overlapping which will help you keep things as standard as possible.  For ease, I have seen two untangle firewalls work well (one is set as server, you then make a file to bring to the other one to make it a client, the app does all teh configuring for you).  I myself like the Sonicwalls and found they work really well also.

In regards to the routing, I also agree.  Often what you will see is something like unqualified lookups don't work.  for example, pinging server1, does not work, but server1.domain.local will, or by IP will.

Author Closing Comment

ID: 36954643
Since the recommended changes, Hamachi has been working like a charm. Thanks again, Rob Will!

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Move FSMO roles... 9 37
Moving on from sbs 2008... 36 71
robocopy question 3 27
Install network Solutions's SSL certificate on SBS 2011 3 13
OfficeMate Freezes on login or does not load after login credentials are input.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question